# 21 - FTP ## Banner Grabbing ### **Telnet** ```sh telnet 10.0.0.3 21 ``` ### **Netcat** ```sh nc -n 10.0.0.3 21 ``` ### **NSE Script** ```sh nmap -sV -script banner -p21 -Pn 10.0.0.3 ``` ### **FTP** ```sh ftp 10.0.0.3 ``` ## FTP Exploitation ### Anonymous Login Note: During the port scanning phase Nmap’s script scan (`-sC`), can be enabled to check for FTP Bounce and Anonymous Login. Try anonymous login using `anonymous:anonymous` credentials. ```sh ftp 10.0.0.3 … Name (10.0.0.3:kali): anonymous 331 Please specify the password. Password: [anonymous] 230 Login successful. ``` List **all** files in order. ```sh ftp> ls -lat 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. … 226 Directory send OK. ``` ### FTP Browser Client {% hint style="info" %} Due to its insecure nature, FTP support is being dropped by Firefox and Google Chrome. {% endhint %} Try accessing `ftp://user:pass@10.0.0.3` from your browser. If not credentials provided `anonymous:anonymous` is assumed. ### Brute Forcing Se [Brute Forcing SSH](#brute-forcing) {% hint style="info" %} SecLists includes a handy list of [FTP default credentials](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt). {% endhint %} ## Configuration files It is important to examine these config files: ``` ftpusers ftp.conf proftpd.conf ``` ## Other ### Binary and ASCII Binary and ASCII files have to be uploading using the `binary` or `ascii` mode respectively, otherwise, the file will become corrupted. Use the corresponding command to switch between modes. ### Download all files from FTP ```bash wget -m ftp://anonymous:anonymous@10.10.10.98 #Donwload all wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 #Download all ```